[CVE-2023–36939] XSS Online Security Guards Hiring System

Discovered by: Ridhesh Gohil

Vendor Homepage: https://phpgurukul.com/online-security-guards-hiring-system-using-php-and-mysql/

What is XSS?

Cross-Site Scripting (XSS) is a web application vulnerability when an attacker injects malicious scripts into a trusted website. These scripts can be written in various scripting languages, such as JavaScript, and are executed by unsuspecting users’ browsers. XSS attacks can have many negative consequences, including stealing sensitive user information, hijacking user sessions, or defacing websites.

Bug Description:

A cross-site scripting (XSS) vulnerability in Online Security Guards Hiring System allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the search booking field.

Steps to Reproduce

1. Go to this URL http://localhost/osghs/admin/search.php, login as admin, and click on Search Request

2. Then enter this XSS payload <script>alert(2)</script>, click on search button, and the pop up will come

I requested for CVE Id for this vulnerability from https://cveform.mitre.org and a few weeks later I received mail that my request was approved this way I got assigned CVE-2023–36939

Special Thanks to my mentors Rohit Gautam sir and Shifa Cyclewala ma’am.❤🤗

Thank you so much for reading. 🤗

My LinkedIn ID: https://www.linkedin.com/in/ridhesh-gohil